API Types
- REST API: full-featured — caching, usage plans, API keys, request/response transformations, WAF.
- HTTP API: simpler, cheaper, faster — JWT authorizers, OIDC, CORS auto-config. No caching or usage plans.
- WebSocket API: persistent connections for real-time bidirectional communication.
Authorization
- IAM authorization: Signature Version 4 signing. Best for AWS service-to-service calls.
- Lambda authorizer (custom): returns an IAM policy. Token-based or request parameter-based.
- Cognito authorizer: validates JWT tokens from a Cognito User Pool. REST API only.
- HTTP API supports JWT authorizers natively (Cognito or any OIDC provider).
Stages & Deployments
- A deployment creates a snapshot of the API. A stage is a named reference to a deployment.
- Stage variables act like environment variables — use them to route to different Lambda aliases or backends.
- Canary deployments split traffic between the current stage and a canary for safe rollouts.
Throttling & Caching
- Default: 10,000 requests/second across all APIs in a region. Burst: 5,000.
- Per-method throttling can override account-level defaults.
- REST API caching: 0.5 GB to 237 GB. TTL: 0 to 3,600 seconds. Invalidate with Cache-Control: max-age=0.
- 429 Too Many Requests = throttled. 504 Gateway Timeout = backend integration timeout (max 29s).
Practice API Gateway Questions
Put your knowledge to the test with practice questions.